CMMC 2.0 and Level 1 Maturity

CMMC 2.0 Level 1 featured

The defense sector, responsible for safeguarding national security, is particularly vulnerable to cyber threats. As cyber-attacks become more sophisticated, there’s an urgent need for a comprehensive framework to ensure the security of sensitive data. The Cybersecurity Maturity Model Certification (CMMC) is a strategic initiative by the Department of Defense (DoD) to enhance the cybersecurity posture of the defense industrial base (DIB) through the use of a standardized maturity model.

This article discusses the latest iteration of this framework, CMMC 2.0, specifically focusing on its foundational level: Level 1 Maturity.


What is CMMC 2.0?

The CMMC initiative was born out of the increasing cyber threats targeting the vast network of contractors and subcontractors working with the DoD. Recognizing the need for a unified cybersecurity standard, the DoD introduced the CMMC framework to ensure contractors have the necessary cybersecurity practices and processes to handle Controlled Unclassified Information (CUI).

While the original CMMC model laid the groundwork for cybersecurity standards, CMMC 2.0 refines and streamlines these standards for better clarity and implementation. The primary objectives of CMMC 2.0 include standardizing security in the supply chain and maintaining the highest quality of security throughout that standard. 

CMMC 2.0 is an update and a significant evolution from its predecessor. Some of the key changes include:

  • Streamlining of practices and processes to reduce complexity.
  • Introducing self-assessment options for certain maturity levels makes the certification process more accessible for smaller contractors.
  • Enhanced clarity on requirements, ensuring that contractors can more easily understand and meet the necessary cybersecurity standards.


Understanding Level 1 Maturity in CMMC 2.0

CMMC 2.0 Level 1

Level 1 Maturity, aptly termed the “foundational” level, represents the baseline of cybersecurity practices that every DoD contractor should adhere to. It’s the starting point, ensuring that even the smallest contractors with limited resources can implement basic cybersecurity hygiene. The significance of this level cannot be understated; it ensures that every entity in the DoD supply chain, regardless of size or function, maintains a minimum standard of cybersecurity.


Self-Assessment for Certification

One of the notable features of Level 1 Maturity in CMMC 2.0 is the option for organizations to undergo a self-assessment. CMMC 1.0, and higher levels of CMMC 2.0, require assessment via a third-party organization (C3PAO) that has been certified by the government. Recognizing that external audits might be resource-intensive for smaller contractors, CMMC 2.0 allows for a self-assessment approach at this level. 

Organizations can evaluate their cybersecurity practices against the defined controls, ensuring they meet the required standards. However, organizations must approach this self-assessment honestly and diligently, understanding that safeguarding national security information is the primary goal.


Controlling CUI and FCI at Level 1

While Level 1 sets the foundational practices, it’s essential to understand that it’s just the beginning. CMMC focuses primarily on managing CUI, but only an organization is certified to do so once they reach Level 2.

Instead, Level 1 organizations can handle Federal Contract Information (FCI) composed of information generated as part of a working relationship with the government but subject to minimum security requirements. 

Organizations must consider advancing to higher maturity levels as they grow and handle more sensitive data. Level 1 is a stepping stone, ensuring organizations have the basic tools and practices before diving deeper into more advanced cybersecurity measures.


Requirements for CMMC Level 1

Compliance with CMMC rests in adopting security controls from NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Level 1, as the minimum security level, only calls for a fraction of these controls–17 specifically. 

These controls include:

Access Control (AC)

Access control focuses on managing and restricting who can access specific resources and how they can access them. Proper access control ensures that only authorized individuals can access sensitive information, reducing the risk of data breaches.

  • AC.1.001: Limit information system access to authorized users, processes acting for authorized users, or devices. This control ensures that only authorized entities can access the information system. Restricting access minimizes the risk of unauthorized data access or breaches.
  • AC.1.002: Limit information system access to the types of transactions and functions authorized users can execute. Even within authorized users, restrictions should be based on roles and responsibilities. This ensures that users only access what they need to, preventing potential internal threats or mishandling of data.
  • AC.1.003: Verify and control/limit connections to and use of external information systems. This control pertains to managing connections to external systems, ensuring they are legitimate and secure. Reduce the risk of external threats and vulnerabilities from third-party systems.
  • AC.1.004: Control information posted or processed on publicly accessible information systems. Ensure that the information shared on public systems doesn’t compromise security. Prevent unintentional sharing of sensitive information and potential public breaches.


Identification and Authentication (IA)

This domain ensures that every user or process is uniquely identified and authenticated before granting access.

  • IA.1.076: Identify information system users, processes acting on behalf of users, or devices. Every user or process should have a unique identifier for accountability. Ensure traceability and accountability for actions taken within the system.
  • IA.1.077: Authenticate (or verify) the identities of users, processes, or devices before allowing access. Before granting access, the system should verify the identity claims. Prevents unauthorized access by ensuring only verified entities can access resources.


Media Protection (MP)

This domain focuses on protecting data in transit, especially on physical media.

  • MP.1.118: Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. Ensure that any sensitive data on physical media is completely removed or destroyed before disposal. Prevents unauthorized access or data breaches from discarded or reused media.


Physical Protection (PE)

Physical protection controls restrict and monitor physical access to information systems.

  • PE.1.131: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. Restrict and monitor physical access to systems and equipment. Prevent potential threats from physical tampering or unauthorized access.
  • PE.1.132: Escort visitors and monitor visitor activity. Ensure that visitors do not have unsupervised access to sensitive areas. Reduce the risk of unauthorized physical access or potential insider threats.
  • PE.1.133: Maintain audit logs of physical access. Keep detailed logs of all physical access to facilities. Provides an audit trail for investigations and ensures accountability.
  • PE.1.134: Control and manage physical access devices. Manage devices like access cards, ensuring they are secure only with authorized personnel. Prevent unauthorized access using lost or stolen access devices.


System and Communication Protection (SC)

This domain focuses on protecting information in transit and ensuring secure communications.

  • SC.1.175: Monitor, control, and protect organizational communications at the information system’s external and key internal boundaries. Ensure that data communication, especially across boundaries, is secure and monitored. Reduces the risk of data breaches during transit and ensures data integrity.
  • SC.1.176: Implement subnetworks for publicly accessible system components physically or logically separated from internal networks. Use separate networks for public-facing components to secure internal systems. Protect internal systems from potential threats originating from public networks.


System and Information Integrity (SI)

This domain ensures the integrity of information and systems by monitoring and protecting against malicious activities.

  • SI.1.210: Promptly identify, report, and correct information and system flaws. Regularly check for system vulnerabilities and address them promptly. Ensures system integrity and reduces potential exploitation risks.
  • SI.1.211: Protect malicious code at appropriate locations within organizational information systems. Implement safeguards against malware and other malicious code. Protects systems from potential malware threats, ensuring data integrity and system functionality.
  • SI.1.212: Update malicious code protection mechanisms when new releases are available. Regularly update anti-malware tools and solutions. Ensure protection against the latest known threats.
  • SI.1.213: Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Regularly scan systems for vulnerabilities and files in real-time as they are accessed. Provide continuous protection and early detection of potential threats.


Get and Stay Ready for CMMC 2.0 with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • GDPR
  • NIST 800-53
  • FARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2
  • PCI DSS 4.0
  • IRS 1075
  • ISO 27000 Series
  • ISO 9000 Series
  • ISO Assessment and Audit Standards

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Download our company brochure.

Continuum GRC